To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

‘VeryMal’ malvertising campaign targets Mac users with Shlayer trojan

Threat actors conducted this malvertising campaign from January 11 to January 13, 2019.

The malicious campaign was capable of infecting as many as 5 million Mac users a day.

A new malvertising campaign dubbed as ‘VeryMal’ has been affecting a million Mac users with the Shlayer trojan. This latest campaign employs steganography technique to hide malicious code inside ad images to avoid detection.

The campaign has been named after one of the attackers’ ad serving domains veryield-malyst[.]com. According to a report from a security firm Confiant, threat actors conducted this malvertising campaign from January 11 to January 13, 2019. The malicious campaign was capable of infecting as many as 5 million Mac users a day.

Modus Operandi

The infection process begins with a message that tells the internet users that their Flash Player is out of date and redirects them to a malicious link. The link contains an ad with an image of a small white bar. This white bar image contains a JavaScript code which enables the attackers to checks if the user’s machine support Apple fonts. It it does not find any such fonts on the machine, then the program gets terminated automatically. This is made possible via steganography technique.

“In fact, the steganography comes into play in order to deliver only part of the payload, and the image needs to be processed in order for that piece to be extracted and then utilized. The image alone will not harm your computer or redirect your browser,” said Eliya Stein, a researcher at Confiant.

If visitors click on the image, then the Shlayer trojan gets downloaded on the device without their knowledge. The Shlayer trojan masquerades as Fake Flash updates in order to infect Mac users.

Commenting on the technique used in the campaign, Stein said, “The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”

While the January campaign of ‘VeryMal’ targeted Mac users, Confiant research claims that the operators of ‘VeryMal’ had targeted iOS users in their previous campaigns.

Ryan Stewart

Ryan is a senior cybersecurity and privacy analyst. He keenly follows the innovation and development in cybersecurity technologies, and loves to educate everyone about the what, why, and how of major incidents in the cybersecurity world.

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.